CVE-2022-38196
BUG-000150537 - ArcGIS Server has a local file inclusion (LFI) vulnerability
In short
ArcGIS Server allows authenticated users to traverse directories and overwrite internal files, potentially disrupting the service. This happens because the application doesn't properly validate file paths provided by users.
Technical detail
A path traversal vulnerability in ArcGIS Server versions 10.9.1 and prior permits authenticated attackers to manipulate file paths using directory traversal sequences, enabling arbitrary file overwrite within ArcGIS Server directories. The vulnerability requires prior authentication and results in denial of service through corruption of critical internal files.
Summary generated and translated by AI from the official description.
Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowing a remote, authenticated attacker to overwrite internal ArcGIS Server directory.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Affected products
Esri · ArcGIS ServerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →